Cyber Incident Victim: Pitești children's hospital
Date:
Feb 2024
Location:
Romania
Summary
Attackers compromised a widely used medical software platform, deploying the ransomware BackMyData across dozens of Romanian hospitals and prompting the national cyber‑security centre to order more than a hundred facilities to disconnect from the internet. Staff at Pitești children's hospital were the first to notice system errors, after which medical teams switched to pen‑and‑paper workflows while IT specialists worked with the software vendor to isolate the infection and restore services from backups. Within a few days most hospitals resumed normal operations, with no deaths or serious harm reported, although some data entered during the outage was lost permanently.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyber‑attack on Romania’s hospitals began on Saturday 10 February 2024 when attackers compromised the Hippocrates medical software supplied by Bucharest‑based RSC, deploying the ransomware strain BackMyData across the network. Staff at Pitești children’s hospital, located north‑west of Bucharest, were the first to notice system errors on Sunday morning 11 February, the day after the intrusion started. By dawn on Monday 12 February, numerous other hospitals reported that the Hippocrates platform was down, prompting the national cyber‑security centre (DNSC) to order more than 100 facilities to disconnect from the internet in an effort to halt the ransomware’s spread. This disconnection removed all connected devices, email access and web browsing capabilities, forcing medical personnel to operate without digital support.
At Pitești children’s hospital the loss of the Hippocrates system meant that doctors and nurses could no longer retrieve patient admission records, laboratory test results, radiology images, medication orders or supply lists. In response, clinicians switched to pen‑and‑paper documentation, created an offline method to register every patient, requested paper copies of laboratory results and employed Excel and other offline tools to maintain continuity of care. Similar improvised workarounds were adopted at other affected hospitals as teams sought to protect patients while IT specialists worked with the Hippocrates vendor to identify the scope of the infection. Cyber‑investigators determined that 26 hospitals had been infected with BackMyData, which encrypted files and demanded a bitcoin ransom; no deaths or serious harm to patients were reported, although the information recorded on paper during the outage later had to be re‑entered, with some data permanently lost.
Within five days most hospitals had restored operations from recent backups and were functioning close to normal, while the DNSC used media outreach to inform the public to avoid non‑essential visits and to advise against contacting the attackers or paying the ransom. Police have not commented on the investigation into the perpetrators, though a ransomware group linked to BackMyData had its website dismantled in an international operation the previous year and four Russians were arrested abroad. The episode underscored how recent backups facilitated recovery and highlighted the heightened risk faced by increasingly digitised healthcare infrastructure.